Emailing Records FAQs?:
- How can I send secure email?
HSC campus users can type [secure] in the Subject line of a message to ensure that the message will be sent securely from their OUHSC.edu emails. Norman users can type [OUENCRYPT] in the Subject line of a message to ensure that the message will be sent securely from their OU.edu emails. Be advised the information in the subject line will not be encrypted – only the information in the email body is encrypted. Your subject line should not include any PHI. In order to read/view a message sent as a Secure Email, the recipient is required to complete a short, one-time registration with the Secure Email system.
Additionally, for the HSC campus, OUHSC IT has also established encrypted channels for the secure transmission of email between the OUHSC email system and business partner email systems. For a list of those business partners with secure channels, see Secure Email and TLS.
- What if I have a large file size?
If you anticipate sending records to a patient or their designee outside the size limitation for the campus email system, there are other internal options.
For HSC: https://it.ouhsc.edu/services/securefiletransfer.asp
For Norman Campus: please reach out to your HCC technical representative or myself for further guidance.
- What if the patient doesn’t want the email to be sent securely? The HIPAA Emailing and Transmitting policy does provide guidance on how to handle those requests as well. For record releases, the new email statement and acknowledgment on the updated forms replace the need to verify the patient has a Consent for Electronic Communication form already on file or to complete a new one. If the patient has submitted a request or an authorization form that is not ours but is still compliant for release, you can follow the steps listed in the FAQ below
- What if the patient doesn’t complete our form with the email statement but still wants records sent via email? After verifying the authorization is compliant for release under HIPAA policy, you will need to take one of the following steps before emailing the records:
1) Verify the patient already has a Consent for Electronic Communication form on file and the email address matches.
2) Have the patient complete a Consent for Electronic Communication form (if the records are going to the patient directly and they wish to consent to future electronic communication).
3) Obtain written confirmation from the patient that the patient understands that the email will not be secure and may be intercepted by an unauthorized individual, but still wishes to receive the PHI via email or have the PHI sent via email to a third party. This can be done via email, fax, mail, whatever means is convenient for the patient.
a. Additionally, a new Consent for Electronic Communication of Medical Records form has been made specifically for release of records via email and is attached here and posted on the HIPAA website. If the patient is unable to sign and return the Consent for Electronic Communication of Medical Records form, they can confirm their consent and authorization to the form in an email. The exception to signing the form is limited only to the Consent for Electronic Communication of Medical Records form and only after the patient has signed a compliant release for medical records.
No matter which option you pursue with the patient, the patient’s confirmation must be maintained in the patient’s file for six (6) years.
Return to FAQ List